Map multiple fields to construct user_claim parameter while creating a role

sanketjpatel · September 21, 2022, 6:18pm

While creating a role for authenticating via JWT for Gitlab, I would like to construct a unique identifier by combining multiple fields from the JWT claims.

In the example over here - Authenticating and reading secrets with HashiCorp Vault | GitLab

a role is created using the following command

$ vault write auth/jwt/role/myproject-staging - <<EOF
{
  "role_type": "jwt",
  "policies": ["myproject-staging"],
  "token_explicit_max_ttl": 60,
  "user_claim": "user_email",
  "bound_claims": {
    "project_id": "22",
    "ref": "master",
    "ref_type": "branch"
  }
}
EOF

I would like to instead incorporate the user_email and job_id to construct the user_claim

For an example JWT payload, I want to have user_claim to be myuser@example.com_1212

{
  "jti": "c82eeb0c-5c6f-4a33-abf5-4c474b92b558",
  "iss": "gitlab.example.com",
  "iat": 1585710286,
  "nbf": 1585798372,
  "exp": 1585713886,
  "sub": "job_1212",
  "namespace_id": "1",
  "namespace_path": "mygroup",
  "project_id": "22",
  "project_path": "mygroup/myproject",
  "user_id": "42",
  "user_login": "myuser",
  "user_email": "myuser@example.com",
  "pipeline_id": "1212",
  "pipeline_source": "web",
  "job_id": "1212",
  "ref": "auto-deploy-2020-04-01",
  "ref_type": "branch",
  "ref_protected": "true",
  "environment": "production",
  "environment_protected": "true"
}

Is it possible to parametrize the user_claim?

jeffsanicola · September 22, 2022, 11:42am

In my experience you have to pick one of the attributes in the JWT.

Not sure if you’re using enterprise or not, but keep licensing in mind if you are or plan to. If you construct a user claim per email+job_id that could potentially impact your consumed client licenses (basically each job run would consume a license for a month) as a new Identity Entity will be created for each unique user claim.

You can merge the related entities after the fact, or pre-create an alias associated with a known entity (although I think that would be pretty difficult to predict in this case), but I don’t know what immediate impact merging would have on licensing.